[Spice-devel] Brainstorming help with x11spice on socket permissions across users

[Jeremy White]

Hi all,

I'm trying to get x11spice and spice-html5, at least as packaged for 
Fedora, into a pretty much 'turn key' state.

I've got 3 use cases.  The first is user A sharing their current 
desktop, either for themselves, or to get help.  That case is largely 
done, imho, modulo some documentation and perhaps some streamlining. 
The second is user A getting access to a new session for themselves.  I 
don't feel blocked on this case; the work should be straight forward, if 
fiddly (I may regret those words; doing a secure 'su' like function out 
of apache may be harder than I think).

The 3rd case, however, has me troubled.  This is the case that user A 
(potentially apache) starts x11spice which then does an xdmcp request to 
gdm, and eventually supports a log in by user B.  This makes it 
challenging to provide a way for user B to launch a spice agent or a 
pulseaudio daemon and have it securely connect back to the spice process 
started by user A.  The approach I've used in the past is to have a 
privileged binary use information from an X atom to adjust socket 
permissions.  But that feels unsatisfying, and it seems to me that this 
is an area with a lot of modern thinking that I've largely missed.

As an added complexity, in the ideal case, you have a vdagent running as 
user A during the login process, which knows to reap itself and give way 
to a vdagent launched by user B.

I was hoping that others would have modern instincts on how to more 
correctly implement the third use case.  Clue bats or other ideas welcome.

Cheers,

Jeremy